Set elastic password and generate enrollment token (#75816)

Set elastic password and generate enrollment token for initial node

Co-authored-by: Elastic Machine <[email protected]>

Author: BigPandaToo

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/ResetElasticPasswordTool.java

@@ -31,6 +31,8 @@
 import java.util.List;
 import java.util.function.Function;
 
+import static org.elasticsearch.xpack.security.tool.CommandLineHttpClient.createURL;
+
 public class ResetElasticPasswordTool extends BaseRunAsSuperuserCommand {
 
     private final Function<Environment, CommandLineHttpClient> clientFunction;
@@ -92,7 +94,7 @@ protected void executeCommand(Terminal terminal, OptionSet options, Environment
                 username,
                 password,
                 () -> requestBodySupplier(elasticPassword),
-                this::responseBuilder
+                CommandLineHttpClient::responseBuilder
             );
             final int responseStatus = httpResponse.getHttpStatus();
             if (httpResponse.getHttpStatus() != HttpURLConnection.HTTP_OK) {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/esnative/tool/SetupPasswordTool.java

@@ -418,7 +418,7 @@ void checkClusterHealth(Terminal terminal) throws Exception {
                 terminal.errorPrintln("Failed to determine the health of the cluster running at " + url);
                 terminal.errorPrintln("Unexpected response code [" + httpResponse.getHttpStatus() + "] from calling GET " +
                     route.toString());
-                final String cause = getErrorCause(httpResponse);
+                final String cause = CommandLineHttpClient.getErrorCause(httpResponse);
                 if (cause != null) {
                     terminal.errorPrintln("Cause: " + cause);
                 }
@@ -477,7 +477,7 @@ private void changeUserPassword(String user, SecureString password, Terminal ter
                     terminal.errorPrintln("");
                     terminal.errorPrintln(
                             "Unexpected response code [" + httpResponse.getHttpStatus() + "] from calling PUT " + route.toString());
-                    String cause = getErrorCause(httpResponse);
+                    String cause = CommandLineHttpClient.getErrorCause(httpResponse);
                     if (cause != null) {
                         terminal.errorPrintln("Cause: " + cause);
                         terminal.errorPrintln("");
@@ -564,32 +564,6 @@ private URL createURL(URL url, String path, String query) throws MalformedURLExc
         }
     }
 
-    private String getErrorCause(HttpResponse httpResponse) {
-        final Object error = httpResponse.getResponseBody().get("error");
-        if (error == null) {
-            return null;
-        }
-        if (error instanceof Map) {
-            Object reason = ((Map) error).get("reason");
-            if (reason != null) {
-                return reason.toString();
-            }
-            final Object root = ((Map) error).get("root_cause");
-            if (root != null && root instanceof Map) {
-                reason = ((Map) root).get("reason");
-                if (reason != null) {
-                    return reason.toString();
-                }
-                final Object type = ((Map) root).get("type");
-                if (type != null) {
-                    return (String) type;
-                }
-            }
-            return String.valueOf(((Map) error).get("type"));
-        }
-        return error.toString();
-    }
-
     private byte[] toByteArray(InputStream is) throws IOException {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         byte[] internalBuffer = new byte[1024];

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/enrollment/EnrollmentToken.java

@@ -0,0 +1,64 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.enrollment;
+
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.json.JsonXContent;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.List;
+import java.util.Objects;
+
+public class EnrollmentToken {
+    private final String apiKey;
+    private final String fingerprint;
+    private final String version;
+    private final List<String > boundAddress;
+
+    public String getApiKey() { return apiKey; }
+    public String getFingerprint() { return fingerprint; }
+    public String getVersion() { return version; }
+    public List<String> getBoundAddress() { return boundAddress; }
+
+    /**
+     * Create an EnrollmentToken
+     *
+     * @param apiKey         API Key credential in the form apiKeyId:ApiKeySecret to be used for enroll calls
+     * @param fingerprint    hex encoded SHA256 fingerprint of the HTTP CA cert
+     * @param version        node version number
+     * @param boundAddress   IP Addresses and port numbers for the interfaces where the Elasticsearch node is listening on
+     */
+    public EnrollmentToken(String apiKey, String fingerprint, String version, List<String> boundAddress) {
+        this.apiKey = Objects.requireNonNull(apiKey);
+        this.fingerprint = Objects.requireNonNull(fingerprint);
+        this.version = Objects.requireNonNull(version);
+        this.boundAddress = Objects.requireNonNull(boundAddress);
+    }
+
+    public String getRaw() throws Exception {
+        final XContentBuilder builder = JsonXContent.contentBuilder();
+        builder.startObject();
+        builder.field("ver", version);
+        builder.startArray("adr");
+        for (String bound_address : boundAddress) {
+            builder.value(bound_address);
+        }
+        builder.endArray();
+        builder.field("fgr", fingerprint);
+        builder.field("key", apiKey);
+        builder.endObject();
+        return Strings.toString(builder);
+    }
+
+    public String getEncoded() throws Exception {
+        final String jsonString = getRaw();
+        return Base64.getUrlEncoder().encodeToString(jsonString.getBytes(StandardCharsets.UTF_8));
+    }
+}

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/enrollment/CreateEnrollmentToken.java renamed to x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/enrollment/EnrollmentTokenGenerator.java

@@ -36,71 +36,51 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
-import java.nio.charset.StandardCharsets;
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.Base64;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.stream.Collectors;
 
-public class CreateEnrollmentToken {
+public class EnrollmentTokenGenerator {
     protected static final String ENROLL_API_KEY_EXPIRATION = "30m";
 
-    private static final Logger logger = LogManager.getLogger(CreateEnrollmentToken.class);
+    private static final Logger logger = LogManager.getLogger(EnrollmentTokenGenerator.class);
     private final Environment environment;
     private final SSLService sslService;
     private final CommandLineHttpClient client;
     private final URL defaultUrl;
 
-    public CreateEnrollmentToken(Environment environment) throws MalformedURLException {
+    public EnrollmentTokenGenerator(Environment environment) throws MalformedURLException {
         this(environment, new CommandLineHttpClient(environment));
     }
 
     // protected for testing
-    protected CreateEnrollmentToken(Environment environment, CommandLineHttpClient client) throws MalformedURLException {
+    protected EnrollmentTokenGenerator(Environment environment, CommandLineHttpClient client) throws MalformedURLException {
         this.environment = environment;
         this.sslService = new SSLService(environment);
         this.client = client;
         this.defaultUrl = new URL(client.getDefaultURL());
     }
 
-    public String createNodeEnrollmentToken(String user, SecureString password) throws Exception {
+    public EnrollmentToken createNodeEnrollmentToken(String user, SecureString password) throws Exception {
         return this.create(user, password, NodeEnrollmentAction.NAME);
     }
 
-    public String createKibanaEnrollmentToken(String user, SecureString password) throws Exception {
+    public EnrollmentToken createKibanaEnrollmentToken(String user, SecureString password) throws Exception {
         return this.create(user, password, KibanaEnrollmentAction.NAME);
     }
 
-    protected String create(String user, SecureString password, String action) throws Exception {
+    protected EnrollmentToken create(String user, SecureString password, String action) throws Exception {
         if (XPackSettings.ENROLLMENT_ENABLED.get(environment.settings()) != true) {
             throw new IllegalStateException("[xpack.security.enrollment.enabled] must be set to `true` to create an enrollment token");
         }
         final String fingerprint = getCaFingerprint();
         final String apiKey = getApiKeyCredentials(user, password, action);
         final Tuple<List<String>, String> httpInfo = getNodeInfo(user, password);
-
-        try {
-            final XContentBuilder builder = JsonXContent.contentBuilder();
-            builder.startObject();
-            builder.field("ver", httpInfo.v2());
-            builder.startArray("adr");
-            for (String bound_address : httpInfo.v1()) {
-                builder.value(bound_address);
-            }
-            builder.endArray();
-            builder.field("fgr", fingerprint);
-            builder.field("key", apiKey);
-            builder.endObject();
-            final String jsonString = Strings.toString(builder);
-            return Base64.getUrlEncoder().encodeToString(jsonString.getBytes(StandardCharsets.UTF_8));
-        } catch (Exception e) {
-            logger.error(("Error generating enrollment token"), e);
-            throw new IllegalStateException("Error generating enrollment token: " + e.getMessage());
-        }
+        return new EnrollmentToken(apiKey, fingerprint, httpInfo.v2(), httpInfo.v1());
     }
 
     private HttpResponse.HttpResponseBuilder responseBuilder(InputStream is) throws IOException {

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/enrollment/tool/BootstrapPasswordAndEnrollmentTokenForInitialNode.java

@@ -0,0 +1,154 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+package org.elasticsearch.xpack.security.enrollment.tool;
+
+import joptsimple.OptionSet;
+import joptsimple.OptionSpec;
+
+import org.elasticsearch.cli.ExitCodes;
+import org.elasticsearch.cli.KeyStoreAwareCommand;
+import org.elasticsearch.cli.Terminal;
+import org.elasticsearch.cli.UserException;
+import org.elasticsearch.common.Strings;
+import org.elasticsearch.common.settings.KeyStoreWrapper;
+import org.elasticsearch.common.settings.SecureString;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.common.xcontent.XContentBuilder;
+import org.elasticsearch.common.xcontent.json.JsonXContent;
+import org.elasticsearch.core.CheckedFunction;
+import org.elasticsearch.env.Environment;
+import org.elasticsearch.xpack.core.security.user.ElasticUser;
+import org.elasticsearch.xpack.security.authc.esnative.ReservedRealm;
+import org.elasticsearch.xpack.security.enrollment.EnrollmentToken;
+import org.elasticsearch.xpack.security.enrollment.EnrollmentTokenGenerator;
+import org.elasticsearch.xpack.security.tool.CommandLineHttpClient;
+import org.elasticsearch.xpack.security.tool.HttpResponse;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.security.SecureRandom;
+import java.util.function.Function;
+
+import static org.elasticsearch.xpack.security.tool.CommandLineHttpClient.createURL;
+
+public class BootstrapPasswordAndEnrollmentTokenForInitialNode extends KeyStoreAwareCommand {
+    private final CheckedFunction<Environment, EnrollmentTokenGenerator, Exception> createEnrollmentTokenFunction;
+    private final Function<Environment, CommandLineHttpClient> clientFunction;
+    private final CheckedFunction<Environment, KeyStoreWrapper, Exception> keyStoreFunction;
+    private final OptionSpec<Void> includeNodeEnrollmentToken;
+    private final SecureRandom secureRandom = new SecureRandom();
+
+    BootstrapPasswordAndEnrollmentTokenForInitialNode() {
+        this(
+            environment -> new CommandLineHttpClient(environment),
+            environment -> KeyStoreWrapper.load(environment.configFile()),
+            environment -> new EnrollmentTokenGenerator(environment)
+        );
+    }
+
+    BootstrapPasswordAndEnrollmentTokenForInitialNode(Function<Environment, CommandLineHttpClient> clientFunction,
+                                                      CheckedFunction<Environment, KeyStoreWrapper, Exception> keyStoreFunction,
+                                                      CheckedFunction<Environment, EnrollmentTokenGenerator, Exception>
+                                                     createEnrollmentTokenFunction){
+        super("Set elastic password and generate enrollment token for initial node");
+        this.clientFunction = clientFunction;
+        this.keyStoreFunction = keyStoreFunction;
+        this.createEnrollmentTokenFunction = createEnrollmentTokenFunction;
+        includeNodeEnrollmentToken = parser.accepts("include-node-enrollment-token", "determine that we have to generate " +
+            "a node enrollment token");
+    }
+
+    public static void main(String[] args) throws Exception {
+        exit(new BootstrapPasswordAndEnrollmentTokenForInitialNode().main(args, Terminal.DEFAULT));
+    }
+
+    @Override
+    protected void execute(Terminal terminal, OptionSet options, Environment env) throws Exception {
+        final SecureString keystorePassword;
+        try {
+            keystorePassword = new SecureString(terminal.readSecret(""));
+        } catch (Exception e) {
+            throw new UserException(ExitCodes.USAGE, null);
+        }
+
+        final Environment secureEnvironment = readSecureSettings(env, keystorePassword);
+        final CommandLineHttpClient client = clientFunction.apply(secureEnvironment);
+        final EnrollmentTokenGenerator enrollmentTokenGenerator = createEnrollmentTokenFunction.apply(secureEnvironment);
+        final SecureString bootstrapPassword = ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.get(secureEnvironment.settings());
+        try {
+            String output;
+            client.checkClusterHealthWithRetriesWaitingForCluster(ElasticUser.NAME, bootstrapPassword, 15);
+            final EnrollmentToken kibanaToken = enrollmentTokenGenerator.createKibanaEnrollmentToken(ElasticUser.NAME, bootstrapPassword);
+            output = "Kibana enrollment token: " + kibanaToken.getEncoded() + System.lineSeparator();
+            output += "CA fingerprint: " + kibanaToken.getFingerprint() + System.lineSeparator();
+            if (options.has(includeNodeEnrollmentToken)) {
+                final EnrollmentToken nodeToken = enrollmentTokenGenerator.createNodeEnrollmentToken(ElasticUser.NAME, bootstrapPassword);
+                output += "Node enrollment token: " + nodeToken.getEncoded() + System.lineSeparator();
+            }
+            if (ReservedRealm.BOOTSTRAP_ELASTIC_PASSWORD.exists(secureEnvironment.settings()) == false) {
+                output += "elastic user password: " + setElasticUserPassword(client, bootstrapPassword);
+            }
+            terminal.println(output);
+        } catch (Exception e) {
+            throw new UserException(ExitCodes.UNAVAILABLE, null);
+        }
+    }
+
+    protected SecureString setElasticUserPassword(CommandLineHttpClient client, SecureString bootstrapPassword) throws Exception {
+        final URL passwordSetUrl = setElasticUserPasswordUrl(client);
+        final HttpResponse response;
+        SecureString password = new SecureString(generatePassword(20));
+        try {
+            response = client.execute("POST", passwordSetUrl, ElasticUser.NAME, bootstrapPassword,
+                () -> {
+                    XContentBuilder xContentBuilder = JsonXContent.contentBuilder();
+                    xContentBuilder.startObject().field("password", password.toString()).endObject();
+                    return Strings.toString(xContentBuilder);
+                }, CommandLineHttpClient::responseBuilder);
+            if (response.getHttpStatus() != HttpURLConnection.HTTP_OK) {
+                throw new UserException(ExitCodes.UNAVAILABLE, null);
+            }
+        } catch (IOException e) {
+            throw new UserException(ExitCodes.IO_ERROR, null);
+        }
+        return password;
+    }
+
+    Environment readSecureSettings(Environment env, SecureString keystorePassword) throws Exception {
+        final KeyStoreWrapper keyStoreWrapper = keyStoreFunction.apply(env);
+        keyStoreWrapper.decrypt(keystorePassword.getChars());
+        Settings.Builder settingsBuilder = Settings.builder();
+        settingsBuilder.put(env.settings(), true);
+        if (settingsBuilder.getSecureSettings() == null) {
+            settingsBuilder.setSecureSettings(keyStoreWrapper);
+        }
+        final Settings settings = settingsBuilder.build();
+        return new Environment(settings, env.configFile());
+    }
+
+    public static URL checkClusterHealthUrl(CommandLineHttpClient client) throws MalformedURLException, URISyntaxException {
+        return createURL(new URL(client.getDefaultURL()), "_cluster/health", "?pretty");
+    }
+
+    public static URL setElasticUserPasswordUrl(CommandLineHttpClient client) throws MalformedURLException, URISyntaxException {
+        return createURL(new URL(client.getDefaultURL()), "/_security/user/" + ElasticUser.NAME + "/_password",
+            "?pretty");
+    }
+
+    protected char[] generatePassword(int passwordLength) {
+        final char[] passwordChars = ("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789~!@#$%^&*-_=+?").toCharArray();
+        char[] characters = new char[passwordLength];
+        for (int i = 0; i < passwordLength; ++i) {
+            characters[i] = passwordChars[secureRandom.nextInt(passwordChars.length)];
+        }
+        return characters;
+    }
+}